By rssfeeds-admin 
A highly sophisticated Malware-as-a-Service (MaaS) campaign dubbed ‘Weedhack’ has been actively targeting the Minecraft gaming community since January 2026.
Masquerading as legitimate Minecraft clients and mods, the threat actors have distributed over 3,820 unique malicious JAR files across 240 URLs.
The campaign leverages aggressive search engine optimization (SEO) poisoning and YouTube tutorial videos to drive traffic, generating an estimated 2,000-3,000 daily hits.
With over 116,464 total infections primarily concentrated in the United States, Germany, and India, Weedhack offers a surprisingly low barrier to entry for cybercriminals.
The developers provide a free base tier and a premium subscription starting at just $5 per month, undercutting traditional stealth tools that cost hundreds of dollars.
YouTube SEO Spreads WeedHack
The Weedhack campaign relies heavily on manipulation and SEO dominance to trap victims.
Operators target open-source Minecraft clients lacking official domains such as Meteor, Radium, and Wurst creating polished, malicious websites hosted on platforms like lovable.app.
To drive traffic, attackers publish high-quality YouTube tutorials featuring human voiceovers and realistic gameplay, deliberately placing malicious download links in the video descriptions and pinned comments.
Security analysts confirm that this multistage operation is sold as a MaaS targeting players through these fake Fabric mods. Once executed, the initial payload, typically a file like DonutDupe.jar, runs silently via javaw.exe.
This first stage deploys “EtherHiding,” a novel evasion technique that abuses Ethereum JSON-RPC servers to fetch its command-and-control (C2) domain directly from a blockchain smart contract.
The responses are securely verified using an embedded RSA public key to prevent campaign takeover attempts. After resolving the C2, the malware fetches the Stage 2 payload (Elevator.jar), which JNIC heavily protects.
This Java native obfuscator translates bytecode into hidden native C code. This stage bypasses Windows User Account Control (UAC) by running a malicious INF script via cmstp.exe.
It then drops a script (WinDefConfig.cmd) to allow its execution paths in Windows Defender.
Subsequent payloads (SecurityManager.jar and Component.jar) establish aggressive persistence through registry run keys and scheduled tasks, ultimately deploying RuntimeBroker.exe for remote desktop capabilities and an infostealer (Telemetry.exe) that harvests data from 36 browsers and 68 crypto wallets.
According to mcafee research, Weedhack has become a major catalyst for severe cyberbullying.
Threat actors utilize the malware’s premium remote-access features such as live webcam feeds, microphone access, keylogging, and hidden screen sharing to monitor, harass, and threaten underage victims.
Attackers record extortion material and share these videos as cybercrime trophies on a dedicated Telegram channel, which recently boasted over 850 members.
Security researchers have documented how attackers exploit these specific remote access tools to terrorize younger gamers.
Indicators of Compromise
| IOC Type | Indicator | Description / Context |
|---|---|---|
| Stage 1 Payload (JAR) | F2100e1f73477bc565f8909e069942dac1f884654ed4ba213ca9a84b1e761ab8 | Glazed_Addon-1.0.0.jar |
| Stage 1 Payload (JAR) | D3f2464ae0e48218e1d48bdfab8301ee5236f7624adcdba1720dc27058461076 | paper-rig-mod-new.jar |
| Stage 1 Payload (JAR) | B982fbafa954a8dcf7cfcffe31bcF75a86b052b1f01cf535ffcafd2c48a56b60 |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post WeedHack Minecraft Malware Spreads Through YouTube and SEO Poisoning appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.